Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Everything as a Service: the New Normal in Procurement
Steve NicholsGeorgia Technology AuthorityMay 9, 2016
Thesis
• More and more procurements will involve software as a service
• Some will be obvious
• Some will not be obvious
Trends in Georgia Procurements
• Small apps going to cloud
• Large apps, apps with regulated data staying in state data center
• Cloud is primarily software as a service (SaaS)
• Driven by business
• Procurements that don’t look like technology, but have a SaaS component
Practical Advice
Rest of my talk is split into two buckets:
• RFPs – requirements for services
• Contracts – terms & conditions for services
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/
• Service Models
• Data
• Breach Notification
• Security
• Audits
• Operations
RFP - On Premise, or Cloud Hosted?
• First thing: do you even have a choice?
• Three likely outcomes:
– Premise only
– Cloud only
– Either/or
GTA and cloud
• SO-10-003 Enterprise Operational Environment
– You are required to host with GTA; you can get an exemption; lists 10 requirements for exemption
– http://gta.georgia.gov/psg/article/enterprise-operational-environment
• SA-14-003 Requirements to Use Cloud Services
– Details when you need an exemption from SO-10-003 and how to apply
– http://gta.georgia.gov/psg/article/requirements-use-cloud-services
RFP – Expect Layers of Vendors
• Common to see SaaS vendors using IaaS vendors or co-location vendors to provide the data center
• Be sure to include language in the RFP about disclosing who the subcontractors are
• Think about flow-down requirements
RFP - SSAE 16: a Crash Course
• SOC 1
– Type 1
– Type 2 – you might end up with this, too
• SOC 2
– Type 1
– Type 2 – this is the one you’ll be interested in
• SOC 3
What about FedRAMP?
• FedRAMP = Federal Risk and Authorization Management Program
• Three ways to get FedRAMP certified:
– JAB Provisional Authorization
– Agency Authorization
– CSP Supplied Package
• There are 44 companies certified as compliant (as of March, 2016)
RFP - Location of your Data
• GTA’s position on offshore data
– SS-15-002.01 Data Storage Location
– http://gta.georgia.gov/psg/article/data-storage-location
– All State data must be processed, stored, transmitted and disposed of onshore (within the jurisdiction of the United States).
• You’ll want to cover a couple of additional edge cases here in the RFP
– Data stored on portable devices
– Location of personnel or contractors who are accessing your data remotely to provide technical support
RFP – External Interfaces
• Easy to miss in an RFP
• Suppliers need to know:
– What interfaces?
– Real time or batch?
– Formats?
– Regulatory requirements? (e.g. encryption)
RFP – Disaster Recovery
• DR in SaaS systems use different strategies
• You are largely at the mercy of your provider
• Third party cloud backup providers
RFP - Information Security
• State of Georgia position
– PS-08-005 Enterprise Information Security Charter
– The State follows the Federal Information Security Management Act (FISMA) and supporting documentation from NIST
– http://gta.georgia.gov/psg/article/enterprise-information-security-charter
• At a minimum, put this into your RFP
• There are a lot of other frameworks out there…
– Suppliers that do a lot of federal business
– Suppliers that don’t
Contracts
• Contracts will be mostly silent on the things I’m going to tell you about
• Compliance information and operational processes will likely be on website
• Security details will be in SSAE 16 SOC report
• Put your reading glasses on
Contract - Data Ownership
• The public jurisdiction owns all of its data.
• The service provider will not access the data except as needed to do the work of the contract.
• The public jurisdiction owns all data obtained by the service provider in the performance of this contract.
• Data location – repeat the U.S. only language in the contract
Contract - Security
• The service provider will perform background checks on staff, including subcontractors.
• The service provider shall perform an independent audit of its data centers at least annually.
• That the service provider will make a version of that audit available to you (hopefully as a SSAE 16 SOC 2 report)
• Subcontractors!
Contract - Plan for your exit
• Orderly retreat or rout?
• Nirvanix as a cautionary tale…
– Cloud storage provider (public, private, and hybrid), founded in 2007
– Notified customers to get their data on Sept. 16th, 2013
– Deactivated website on Sept. 28th, filed for Chapter 11 bankruptcy on October 1st.
Contract - Import/Export of Data
• The public jurisdiction can import or export its data whenever needed.
• Termination for convenience: be prepared for 30 days
Contract - Termination/Suspension
• The service provider will not erase the public jurisdiction’s data in the event of a suspension or when the contract is terminated.
• Specific time periods are established where data will be preserved by the service provider.
• The service provider will destroy data using a NIST-approved method when requested by the public jurisdiction.
Cloud Ts & Cs Best Practice Guide
http://www.govtech.com/cdg/